LXR linux/kernel/trace/bpf

   1/* Copyright (c) 2011-2015 PLUMgrid, http://plumgrid.com
   2 * Copyright (c) 2016 Facebook
   3 *
   4 * This program is free software; you can redistribute it and/or
   5 * modify it under the terms of version 2 of the GNU General Public
   6 * License as published by the Free Software Foundation.
   7 */
   8#include <linux/kernel.h>
   9#include <linux/types.h>
  10#include <linux/slab.h>
  11#include <linux/bpf.h>
  12#include <linux/bpf_perf_event.h>
  13#include <linux/filter.h>
  14#include <linux/uaccess.h>
  15#include <linux/ctype.h>
  16#include <linux/kprobes.h>
  17#include <linux/error-injection.h>
  18
  19#include "trace_probe.h"
  20#include "trace.h"
  21
  22u64 bpf_get_stackid(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5);
  23
  24/**
  25 * trace_call_bpf - invoke BPF program
  26 * @call: tracepoint event
  27 * @ctx: opaque context pointer
  28 *
  29 * kprobe handlers execute BPF programs via this helper.
  30 * Can be used from static tracepoints in the future.
  31 *
  32 * Return: BPF programs always return an integer which is interpreted by
  33 * kprobe handler as:
  34 * 0 - return from kprobe (event is filtered out)
  35 * 1 - store kprobe event into ring buffer
  36 * Other values are reserved and currently alias to 1
  37 */
  38unsigned int trace_call_bpf(struct trace_event_call *call, void *ctx)
  39{
  40        unsigned int ret;
  41
  42        if (in_nmi()) /* not supported yet */
  43                return 1;
  44
  45        preempt_disable();
  46
  47        if (unlikely(__this_cpu_inc_return(bpf_prog_active) != 1)) {
  48                /*
  49                 * since some bpf program is already running on this cpu,
  50                 * don't call into another bpf program (same or different)
  51                 * and don't send kprobe event into ring-buffer,
  52                 * so return zero here
  53                 */
  54                ret = 0;
  55                goto out;
  56        }
  57
  58        /*
  59         * Instead of moving rcu_read_lock/rcu_dereference/rcu_read_unlock
  60         * to all call sites, we did a bpf_prog_array_valid() there to check
  61         * whether call->prog_array is empty or not, which is
  62         * a heurisitc to speed up execution.
  63         *
  64         * If bpf_prog_array_valid() fetched prog_array was
  65         * non-NULL, we go into trace_call_bpf() and do the actual
  66         * proper rcu_dereference() under RCU lock.
  67         * If it turns out that prog_array is NULL then, we bail out.
  68         * For the opposite, if the bpf_prog_array_valid() fetched pointer
  69         * was NULL, you'll skip the prog_array with the risk of missing
  70         * out of events when it was updated in between this and the
  71         * rcu_dereference() which is accepted risk.
  72         */
  73        ret = BPF_PROG_RUN_ARRAY_CHECK(call->prog_array, ctx, BPF_PROG_RUN);
  74
  75 out:
  76        __this_cpu_dec(bpf_prog_active);
  77        preempt_enable();
  78
  79        return ret;
  80}
  81EXPORT_SYMBOL_GPL(trace_call_bpf);
  82
  83#ifdef CONFIG_BPF_KPROBE_OVERRIDE
  84BPF_CALL_2(bpf_override_return, struct pt_regs *, regs, unsigned long, rc)
  85{
  86        regs_set_return_value(regs, rc);
  87        override_function_with_return(regs);
  88        return 0;
  89}
  90
  91static const struct bpf_func_proto bpf_override_return_proto = {
  92        .func           = bpf_override_return,
  93        .gpl_only       = true,
  94        .ret_type       = RET_INTEGER,
  95        .arg1_type      = ARG_PTR_TO_CTX,
  96        .arg2_type      = ARG_ANYTHING,
  97};
  98#endif
  99
 100BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr)
 101{
 102        int ret;
 103
 104        ret = probe_kernel_read(dst, unsafe_ptr, size);
 105        if (unlikely(ret < 0))
 106                memset(dst, 0, size);
 107
 108        return ret;
 109}
 110
 111static const struct bpf_func_proto bpf_probe_read_proto = {
 112        .func           = bpf_probe_read,
 113        .gpl_only       = true,
 114        .ret_type       = RET_INTEGER,
 115        .arg1_type      = ARG_PTR_TO_UNINIT_MEM,
 116        .arg2_type      = ARG_CONST_SIZE_OR_ZERO,
 117        .arg3_type      = ARG_ANYTHING,
 118};
 119
 120BPF_CALL_3(bpf_probe_write_user, void *, unsafe_ptr, const void *, src,
 121           u32, size)
 122{
 123        /*
 124         * Ensure we're in user context which is safe for the helper to
 125         * run. This helper has no business in a kthread.
 126         *
 127         * access_ok() should prevent writing to non-user memory, but in
 128         * some situations (nommu, temporary switch, etc) access_ok() does
 129         * not provide enough validation, hence the check on KERNEL_DS.
 130         */
 131
 132        if (unlikely(in_interrupt() ||
 133                     current->flags & (PF_KTHREAD | PF_EXITING)))
 134                return -EPERM;
 135        if (unlikely(uaccess_kernel()))
 136                return -EPERM;
 137        if (!access_ok(VERIFY_WRITE, unsafe_ptr, size))
 138                return -EPERM;
 139
 140        return probe_kernel_write(unsafe_ptr, src, size);
 141}
 142
 143static const struct bpf_func_proto bpf_probe_write_user_proto = {
 144        .func           = bpf_probe_write_user,
 145        .gpl_only       = true,
 146        .ret_type       = RET_INTEGER,
 147        .arg1_type      = ARG_ANYTHING,
 148        .arg2_type      = ARG_PTR_TO_MEM,
 149        .arg3_type      = ARG_CONST_SIZE,
 150};
 151
 152static const struct bpf_func_proto *bpf_get_probe_write_proto(void)
 153{
 154        pr_warn_ratelimited("%s[%d] is installing a program with bpf_probe_write_user helper that may corrupt user memory!",
 155                            current->comm, task_pid_nr(current));
 156
 157        return &bpf_probe_write_user_proto;
 158}
 159
 160/*
 161 * Only limited trace_printk() conversion specifiers allowed:
 162 * %d %i %u %x %ld %li %lu %lx %lld %lli %llu %llx %p %s
 163 */
 164BPF_CALL_5(bpf_trace_printk, char *, fmt, u32, fmt_size, u64, arg1,
 165           u64, arg2, u64, arg3)
 166{
 167        bool str_seen = false;
 168        int mod[3] = {};
 169        int fmt_cnt = 0;
 170        u64 unsafe_addr;
 171        char buf[64];
 172        int i;
 173
 174        /*
 175         * bpf_check()->check_func_arg()->check_stack_boundary()
 176         * guarantees that fmt points to bpf program stack,
 177         * fmt_size bytes of it were initialized and fmt_size > 0
 178         */
 179        if (fmt[--fmt_size] != 0)
 180                return -EINVAL;
 181
 182        /* check format string for allowed specifiers */
 183        for (i = 0; i < fmt_size; i++) {
 184                if ((!isprint(fmt[i]) && !isspace(fmt[i])) || !isascii(fmt[i]))
 185                        return -EINVAL;
 186
 187                if (fmt[i] != '%')
 188                        continue;
 189
 190                if (fmt_cnt >= 3)
 191                        return -EINVAL;
 192
 193                /* fmt[i] != 0 && fmt[last] == 0, so we can access fmt[i + 1] */
 194                i++;
 195                if (fmt[i] == 'l') {
 196                        mod[fmt_cnt]++;
 197                        i++;
 198                } else if (fmt[i] == 'p' || fmt[i] == 's') {
 199                        mod[fmt_cnt]++;
 200                        i++;
 201                        if (!isspace(fmt[i]) && !ispunct(fmt[i]) && fmt[i] != 0)
 202                                return -EINVAL;
 203                        fmt_cnt++;
 204                        if (fmt[i - 1] == 's') {
 205                                if (str_seen)
 206                                        /* allow only one '%s' per fmt string */
 207                                        return -EINVAL;
 208                                str_seen = true;
 209
 210                                switch (fmt_cnt) {
 211                                case 1:
 212                                        unsafe_addr = arg1;
 213                                        arg1 = (long) buf;
 214                                        break;
 215                                case 2:
 216                                        unsafe_addr = arg2;
 217                                        arg2 = (long) buf;
 218                                        break;
 219                                case 3:
 220                                        unsafe_addr = arg3;
 221                                        arg3 = (long) buf;
 222                                        break;
 223                                }
 224                                buf[0] = 0;
 225                                strncpy_from_unsafe(buf,
 226                                                    (void *) (long) unsafe_addr,
 227                                                    sizeof(buf));
 228                        }
 229                        continue;
 230                }
 231
 232                if (fmt[i] == 'l') {
 233                        mod[fmt_cnt]++;
 234                        i++;
 235                }
 236
 237                if (fmt[i] != 'i' && fmt[i] != 'd' &&
 238                    fmt[i] != 'u' && fmt[i] != 'x')
 239                        return -EINVAL;
 240                fmt_cnt++;
 241        }
 242
 243/* Horrid workaround for getting va_list handling working with different
 244 * argument type combinations generically for 32 and 64 bit archs.
 245 */
 246#define __BPF_TP_EMIT() __BPF_ARG3_TP()
 247#define __BPF_TP(...)                                                   \
 248        __trace_printk(0 /* Fake ip */,                                 \
 249                       fmt, ##__VA_ARGS__)
 250
 251#define __BPF_ARG1_TP(...)                                              \
 252        ((mod[0] == 2 || (mod[0] == 1 && __BITS_PER_LONG == 64))        \
 253          ? __BPF_TP(arg1, ##__VA_ARGS__)                               \
 254          : ((mod[0] == 1 || (mod[0] == 0 && __BITS_PER_LONG == 32))    \
 255              ? __BPF_TP((long)arg1, ##__VA_ARGS__)                     \
 256              : __BPF_TP((u32)arg1, ##__VA_ARGS__)))
 257
 258#define __BPF_ARG2_TP(...)                                              \
 259        ((mod[1] == 2 || (mod[1] == 1 && __BITS_PER_LONG == 64))        \
 260          ? __BPF_ARG1_TP(arg2, ##__VA_ARGS__)                          \
 261          : ((mod[1] == 1 || (mod[1] == 0 && __BITS_PER_LONG == 32))    \
 262              ? __BPF_ARG1_TP((long)arg2, ##__VA_ARGS__)                \
 263              : __BPF_ARG1_TP((u32)arg2, ##__VA_ARGS__)))
 264
 265#define __BPF_ARG3_TP(...)                                              \
 266        ((mod[2] == 2 || (mod[2] == 1 && __BITS_PER_LONG == 64))        \
 267          ? __BPF_ARG2_TP(arg3, ##__VA_ARGS__)                          \
 268          : ((mod[2] == 1 || (mod[2] == 0 && __BITS_PER_LONG == 32))    \
 269              ? __BPF_ARG2_TP((long)arg3, ##__VA_ARGS__)                \
 270              : __BPF_ARG2_TP((u32)arg3, ##__VA_ARGS__)))
 271
 272        return __BPF_TP_EMIT();
 273}
 274
 275static const struct bpf_func_proto bpf_trace_printk_proto = {
 276        .func           = bpf_trace_printk,
 277        .gpl_only       = true,
 278        .ret_type       = RET_INTEGER,
 279        .arg1_type      = ARG_PTR_TO_MEM,
 280        .arg2_type      = ARG_CONST_SIZE,
 281};
 282
 283const struct bpf_func_proto *bpf_get_trace_printk_proto(void)
 284{
 285        /*
 286         * this program might be calling bpf_trace_printk,
 287         * so allocate per-cpu printk buffers
 288         */
 289        trace_printk_init_buffers();
 290
 291        return &bpf_trace_printk_proto;
 292}
 293
 294static __always_inline int
 295get_map_perf_counter(struct bpf_map *map, u64 flags,
 296                     u64 *value, u64 *enabled, u64 *running)
 297{
 298        struct bpf_array *array = container_of(map, struct bpf_array, map);
 299        unsigned int cpu = smp_processor_id();
 300        u64 index = flags & BPF_F_INDEX_MASK;
 301        struct bpf_event_entry *ee;
 302
 303        if (unlikely(flags & ~(BPF_F_INDEX_MASK)))
 304                return -EINVAL;
 305        if (index == BPF_F_CURRENT_CPU)
 306                index = cpu;
 307        if (unlikely(index >= array->map.max_entries))
 308                return -E2BIG;
 309
 310        ee = READ_ONCE(array->ptrs[index]);
 311        if (!ee)
 312                return -ENOENT;
 313
 314        return perf_event_read_local(ee->event, value, enabled, running);
 315}
 316
 317BPF_CALL_2(bpf_perf_event_read, struct bpf_map *, map, u64, flags)
 318{
 319        u64 value = 0;
 320        int err;
 321
 322        err = get_map_perf_counter(map, flags, &value, NULL, NULL);
 323        /*
 324         * this api is ugly since we miss [-22..-2] range of valid
 325         * counter values, but that's uapi
 326         */
 327        if (err)
 328                return err;
 329        return value;
 330}
 331
 332static const struct bpf_func_proto bpf_perf_event_read_proto = {
 333        .func           = bpf_perf_event_read,
 334        .gpl_only       = true,
 335        .ret_type       = RET_INTEGER,
 336        .arg1_type      = ARG_CONST_MAP_PTR,
 337        .arg2_type      = ARG_ANYTHING,
 338};
 339
 340BPF_CALL_4(bpf_perf_event_read_value, struct bpf_map *, map, u64, flags,
 341           struct bpf_perf_event_value *, buf, u32, size)
 342{
 343        int err = -EINVAL;
 344
 345        if (unlikely(size != sizeof(struct bpf_perf_event_value)))
 346                goto clear;
 347        err = get_map_perf_counter(map, flags, &buf->counter, &buf->enabled,
 348                                   &buf->running);
 349        if (unlikely(err))
 350                goto clear;
 351        return 0;
 352clear:
 353        memset(buf, 0, size);
 354        return err;
 355}
 356
 357static const struct bpf_func_proto bpf_perf_event_read_value_proto = {
 358        .func           = bpf_perf_event_read_value,
 359        .gpl_only       = true,
 360        .ret_type       = RET_INTEGER,
 361        .arg1_type      = ARG_CONST_MAP_PTR,
 362        .arg2_type      = ARG_ANYTHING,
 363        .arg3_type      = ARG_PTR_TO_UNINIT_MEM,
 364        .arg4_type      = ARG_CONST_SIZE,
 365};
 366
 367static DEFINE_PER_CPU(struct perf_sample_data, bpf_trace_sd);
 368
 369static __always_inline u64
 370__bpf_perf_event_output(struct pt_regs *regs, struct bpf_map *map,
 371                        u64 flags, struct perf_sample_data *sd)
 372{
 373        struct bpf_array *array = container_of(map, struct bpf_array, map);
 374        unsigned int cpu = smp_processor_id();
 375        u64 index = flags & BPF_F_INDEX_MASK;
 376        struct bpf_event_entry *ee;
 377        struct perf_event *event;
 378
 379        if (index == BPF_F_CURRENT_CPU)
 380                index = cpu;
 381        if (unlikely(index >= array->map.max_entries))
 382                return -E2BIG;
 383
 384        ee = READ_ONCE(array->ptrs[index]);
 385        if (!ee)
 386                return -ENOENT;
 387
 388        event = ee->event;
 389        if (unlikely(event->attr.type != PERF_TYPE_SOFTWARE ||
 390                     event->attr.config != PERF_COUNT_SW_BPF_OUTPUT))
 391                return -EINVAL;
 392
 393        if (unlikely(event->oncpu != cpu))
 394                return -EOPNOTSUPP;
 395
 396        perf_event_output(event, sd, regs);
 397        return 0;
 398}
 399
 400BPF_CALL_5(bpf_perf_event_output, struct pt_regs *, regs, struct bpf_map *, map,
 401           u64, flags, void *, data, u64, size)
 402{
 403        struct perf_sample_data *sd = this_cpu_ptr(&bpf_trace_sd);
 404        struct perf_raw_record raw = {
 405                .frag = {
 406                        .size = size,
 407                        .data = data,
 408                },
 409        };
 410
 411        if (unlikely(flags & ~(BPF_F_INDEX_MASK)))
 412                return -EINVAL;
 413
 414        perf_sample_data_init(sd, 0, 0);
 415        sd->raw = &raw;
 416
 417        return __bpf_perf_event_output(regs, map, flags, sd);
 418}
 419
 420static const struct bpf_func_proto bpf_perf_event_output_proto = {
 421        .func           = bpf_perf_event_output,
 422        .gpl_only       = true,
 423        .ret_type       = RET_INTEGER,
 424        .arg1_type      = ARG_PTR_TO_CTX,
 425        .arg2_type      = ARG_CONST_MAP_PTR,
 426        .arg3_type      = ARG_ANYTHING,
 427        .arg4_type      = ARG_PTR_TO_MEM,
 428        .arg5_type      = ARG_CONST_SIZE_OR_ZERO,
 429};
 430
 431static DEFINE_PER_CPU(struct pt_regs, bpf_pt_regs);
 432static DEFINE_PER_CPU(struct perf_sample_data, bpf_misc_sd);
 433
 434u64 bpf_event_output(struct bpf_map *map, u64 flags, void *meta, u64 meta_size,
 435                     void *ctx, u64 ctx_size, bpf_ctx_copy_t ctx_copy)
 436{
 437        struct perf_sample_data *sd = this_cpu_ptr(&bpf_misc_sd);
 438        struct pt_regs *regs = this_cpu_ptr(&bpf_pt_regs);
 439        struct perf_raw_frag frag = {
 440                .copy           = ctx_copy,
 441                .size           = ctx_size,
 442                .data           = ctx,
 443        };
 444        struct perf_raw_record raw = {
 445                .frag = {
 446                        {
 447                                .next   = ctx_size ? &frag : NULL,
 448                        },
 449                        .size   = meta_size,
 450                        .data   = meta,
 451                },
 452        };
 453
 454        perf_fetch_caller_regs(regs);
 455        perf_sample_data_init(sd, 0, 0);
 456        sd->raw = &raw;
 457
 458        return __bpf_perf_event_output(regs, map, flags, sd);
 459}
 460
 461BPF_CALL_0(bpf_get_current_task)
 462{
 463        return (long) current;
 464}
 465
 466static const struct bpf_func_proto bpf_get_current_task_proto = {
 467        .func           = bpf_get_current_task,
 468        .gpl_only       = true,
 469        .ret_type       = RET_INTEGER,
 470};
 471
 472BPF_CALL_2(bpf_current_task_under_cgroup, struct bpf_map *, map, u32, idx)
 473{
 474        struct bpf_array *array = container_of(map, struct bpf_array, map);
 475        struct cgroup *cgrp;
 476
 477        if (unlikely(in_interrupt()))
 478                return -EINVAL;
 479        if (unlikely(idx >= array->map.max_entries))
 480                return -E2BIG;
 481
 482        cgrp = READ_ONCE(array->ptrs[idx]);
 483        if (unlikely(!cgrp))
 484                return -EAGAIN;
 485
 486        return task_under_cgroup_hierarchy(current, cgrp);
 487}
 488
 489static const struct bpf_func_proto bpf_current_task_under_cgroup_proto = {
 490        .func           = bpf_current_task_under_cgroup,
 491        .gpl_only       = false,
 492        .ret_type       = RET_INTEGER,
 493        .arg1_type      = ARG_CONST_MAP_PTR,
 494        .arg2_type      = ARG_ANYTHING,
 495};
 496
 497BPF_CALL_3(bpf_probe_read_str, void *, dst, u32, size,
 498           const void *, unsafe_ptr)
 499{
 500        int ret;
 501
 502        /*
 503         * The strncpy_from_unsafe() call will likely not fill the entire
 504         * buffer, but that's okay in this circumstance as we're probing
 505         * arbitrary memory anyway similar to bpf_probe_read() and might
 506         * as well probe the stack. Thus, memory is explicitly cleared
 507         * only in error case, so that improper users ignoring return
 508         * code altogether don't copy garbage; otherwise length of string
 509         * is returned that can be used for bpf_perf_event_output() et al.
 510         */
 511        ret = strncpy_from_unsafe(dst, unsafe_ptr, size);
 512        if (unlikely(ret < 0))
 513                memset(dst, 0, size);
 514
 515        return ret;
 516}
 517
 518static const struct bpf_func_proto bpf_probe_read_str_proto = {
 519        .func           = bpf_probe_read_str,
 520        .gpl_only       = true,
 521        .ret_type       = RET_INTEGER,
 522        .arg1_type      = ARG_PTR_TO_UNINIT_MEM,
 523        .arg2_type      = ARG_CONST_SIZE_OR_ZERO,
 524        .arg3_type      = ARG_ANYTHING,
 525};
 526
 527static const struct bpf_func_proto *
 528tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
 529{
 530        switch (func_id) {
 531        case BPF_FUNC_map_lookup_elem:
 532                return &bpf_map_lookup_elem_proto;
 533        case BPF_FUNC_map_update_elem:
 534                return &bpf_map_update_elem_proto;
 535        case BPF_FUNC_map_delete_elem:
 536                return &bpf_map_delete_elem_proto;
 537        case BPF_FUNC_probe_read:
 538                return &bpf_probe_read_proto;
 539        case BPF_FUNC_ktime_get_ns:
 540                return &bpf_ktime_get_ns_proto;
 541        case BPF_FUNC_tail_call:
 542                return &bpf_tail_call_proto;
 543        case BPF_FUNC_get_current_pid_tgid:
 544                return &bpf_get_current_pid_tgid_proto;
 545        case BPF_FUNC_get_current_task:
 546                return &bpf_get_current_task_proto;
 547        case BPF_FUNC_get_current_uid_gid:
 548                return &bpf_get_current_uid_gid_proto;
 549        case BPF_FUNC_get_current_comm:
 550                return &bpf_get_current_comm_proto;
 551        case BPF_FUNC_trace_printk:
 552                return bpf_get_trace_printk_proto();
 553        case BPF_FUNC_get_smp_processor_id:
 554                return &bpf_get_smp_processor_id_proto;
 555        case BPF_FUNC_get_numa_node_id:
 556                return &bpf_get_numa_node_id_proto;
 557        case BPF_FUNC_perf_event_read:
 558                return &bpf_perf_event_read_proto;
 559        case BPF_FUNC_probe_write_user:
 560                return bpf_get_probe_write_proto();
 561        case BPF_FUNC_current_task_under_cgroup:
 562                return &bpf_current_task_under_cgroup_proto;
 563        case BPF_FUNC_get_prandom_u32:
 564                return &bpf_get_prandom_u32_proto;
 565        case BPF_FUNC_probe_read_str:
 566                return &bpf_probe_read_str_proto;
 567        default:
 568                return NULL;
 569        }
 570}
 571
 572static const struct bpf_func_proto *
 573kprobe_prog_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
 574{
 575        switch (func_id) {
 576        case BPF_FUNC_perf_event_output:
 577                return &bpf_perf_event_output_proto;
 578        case BPF_FUNC_get_stackid:
 579                return &bpf_get_stackid_proto;
 580        case BPF_FUNC_perf_event_read_value:
 581                return &bpf_perf_event_read_value_proto;
 582#ifdef CONFIG_BPF_KPROBE_OVERRIDE
 583        case BPF_FUNC_override_return:
 584                return &bpf_override_return_proto;
 585#endif
 586        default:
 587                return tracing_func_proto(func_id, prog);
 588        }
 589}
 590
 591/* bpf+kprobe programs can access fields of 'struct pt_regs' */
 592static bool kprobe_prog_is_valid_access(int off, int size, enum bpf_access_type type,
 593                                        const struct bpf_prog *prog,
 594                                        struct bpf_insn_access_aux *info)
 595{
 596        if (off < 0 || off >= sizeof(struct pt_regs))
 597                return false;
 598        if (type != BPF_READ)
 599                return false;
 600        if (off % size != 0)
 601                return false;
 602        /*
 603         * Assertion for 32 bit to make sure last 8 byte access
 604         * (BPF_DW) to the last 4 byte member is disallowed.
 605         */
 606        if (off + size > sizeof(struct pt_regs))
 607                return false;
 608
 609        return true;
 610}
 611
 612const struct bpf_verifier_ops kprobe_verifier_ops = {
 613        .get_func_proto  = kprobe_prog_func_proto,
 614        .is_valid_access = kprobe_prog_is_valid_access,
 615};
 616
 617const struct bpf_prog_ops kprobe_prog_ops = {
 618};
 619
 620BPF_CALL_5(bpf_perf_event_output_tp, void *, tp_buff, struct bpf_map *, map,
 621           u64, flags, void *, data, u64, size)
 622{
 623        struct pt_regs *regs = *(struct pt_regs **)tp_buff;
 624
 625        /*
 626         * r1 points to perf tracepoint buffer where first 8 bytes are hidden
 627         * from bpf program and contain a pointer to 'struct pt_regs'. Fetch it
 628         * from there and call the same bpf_perf_event_output() helper inline.
 629         */
 630        return ____bpf_perf_event_output(regs, map, flags, data, size);
 631}
 632
 633static const struct bpf_func_proto bpf_perf_event_output_proto_tp = {
 634        .func           = bpf_perf_event_output_tp,
 635        .gpl_only       = true,
 636        .ret_type       = RET_INTEGER,
 637        .arg1_type      = ARG_PTR_TO_CTX,
 638        .arg2_type      = ARG_CONST_MAP_PTR,
 639        .arg3_type      = ARG_ANYTHING,
 640        .arg4_type      = ARG_PTR_TO_MEM,
 641        .arg5_type      = ARG_CONST_SIZE_OR_ZERO,
 642};
 643
 644BPF_CALL_3(bpf_get_stackid_tp, void *, tp_buff, struct bpf_map *, map,
 645           u64, flags)
 646{
 647        struct pt_regs *regs = *(struct pt_regs **)tp_buff;
 648
 649        /*
 650         * Same comment as in bpf_perf_event_output_tp(), only that this time
 651         * the other helper's function body cannot be inlined due to being
 652         * external, thus we need to call raw helper function.
 653         */
 654        return bpf_get_stackid((unsigned long) regs, (unsigned long) map,
 655                               flags, 0, 0);
 656}
 657
 658static const struct bpf_func_proto bpf_get_stackid_proto_tp = {
 659        .func           = bpf_get_stackid_tp,
 660        .gpl_only       = true,
 661        .ret_type       = RET_INTEGER,
 662        .arg1_type      = ARG_PTR_TO_CTX,
 663        .arg2_type      = ARG_CONST_MAP_PTR,
 664        .arg3_type      = ARG_ANYTHING,
 665};
 666
 667static const struct bpf_func_proto *
 668tp_prog_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
 669{
 670        switch (func_id) {
 671        case BPF_FUNC_perf_event_output:
 672                return &bpf_perf_event_output_proto_tp;
 673        case BPF_FUNC_get_stackid:
 674                return &bpf_get_stackid_proto_tp;
 675        default:
 676                return tracing_func_proto(func_id, prog);
 677        }
 678}
 679
 680static bool tp_prog_is_valid_access(int off, int size, enum bpf_access_type type,
 681                                    const struct bpf_prog *prog,
 682                                    struct bpf_insn_access_aux *info)
 683{
 684        if (off < sizeof(void *) || off >= PERF_MAX_TRACE_SIZE)
 685                return false;
 686        if (type != BPF_READ)
 687                return false;
 688        if (off % size != 0)
 689                return false;
 690
 691        BUILD_BUG_ON(PERF_MAX_TRACE_SIZE % sizeof(__u64));
 692        return true;
 693}
 694
 695const struct bpf_verifier_ops tracepoint_verifier_ops = {
 696        .get_func_proto  = tp_prog_func_proto,
 697        .is_valid_access = tp_prog_is_valid_access,
 698};
 699
 700const struct bpf_prog_ops tracepoint_prog_ops = {
 701};
 702
 703BPF_CALL_3(bpf_perf_prog_read_value, struct bpf_perf_event_data_kern *, ctx,
 704           struct bpf_perf_event_value *, buf, u32, size)
 705{
 706        int err = -EINVAL;
 707
 708        if (unlikely(size != sizeof(struct bpf_perf_event_value)))
 709                goto clear;
 710        err = perf_event_read_local(ctx->event, &buf->counter, &buf->enabled,
 711                                    &buf->running);
 712        if (unlikely(err))
 713                goto clear;
 714        return 0;
 715clear:
 716        memset(buf, 0, size);
 717        return err;
 718}
 719
 720static const struct bpf_func_proto bpf_perf_prog_read_value_proto = {
 721         .func           = bpf_perf_prog_read_value,
 722         .gpl_only       = true,
 723         .ret_type       = RET_INTEGER,
 724         .arg1_type      = ARG_PTR_TO_CTX,
 725         .arg2_type      = ARG_PTR_TO_UNINIT_MEM,
 726         .arg3_type      = ARG_CONST_SIZE,
 727};
 728
 729static const struct bpf_func_proto *
 730pe_prog_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
 731{
 732        switch (func_id) {
 733        case BPF_FUNC_perf_event_output:
 734                return &bpf_perf_event_output_proto_tp;
 735        case BPF_FUNC_get_stackid:
 736                return &bpf_get_stackid_proto_tp;
 737        case BPF_FUNC_perf_prog_read_value:
 738                return &bpf_perf_prog_read_value_proto;
 739        default:
 740                return tracing_func_proto(func_id, prog);
 741        }
 742}
 743
 744/*
 745 * bpf_raw_tp_regs are separate from bpf_pt_regs used from skb/xdp
 746 * to avoid potential recursive reuse issue when/if tracepoints are added
 747 * inside bpf_*_event_output and/or bpf_get_stack_id
 748 */
 749static DEFINE_PER_CPU(struct pt_regs, bpf_raw_tp_regs);
 750BPF_CALL_5(bpf_perf_event_output_raw_tp, struct bpf_raw_tracepoint_args *, args,
 751           struct bpf_map *, map, u64, flags, void *, data, u64, size)
 752{
 753        struct pt_regs *regs = this_cpu_ptr(&bpf_raw_tp_regs);
 754
 755        perf_fetch_caller_regs(regs);
 756        return ____bpf_perf_event_output(regs, map, flags, data, size);
 757}
 758
 759static const struct bpf_func_proto bpf_perf_event_output_proto_raw_tp = {
 760        .func           = bpf_perf_event_output_raw_tp,
 761        .gpl_only       = true,
 762        .ret_type       = RET_INTEGER,
 763        .arg1_type      = ARG_PTR_TO_CTX,
 764        .arg2_type      = ARG_CONST_MAP_PTR,
 765        .arg3_type      = ARG_ANYTHING,
 766        .arg4_type      = ARG_PTR_TO_MEM,
 767        .arg5_type      = ARG_CONST_SIZE_OR_ZERO,
 768};
 769
 770BPF_CALL_3(bpf_get_stackid_raw_tp, struct bpf_raw_tracepoint_args *, args,
 771           struct bpf_map *, map, u64, flags)
 772{
 773        struct pt_regs *regs = this_cpu_ptr(&bpf_raw_tp_regs);
 774
 775        perf_fetch_caller_regs(regs);
 776        /* similar to bpf_perf_event_output_tp, but pt_regs fetched differently */
 777        return bpf_get_stackid((unsigned long) regs, (unsigned long) map,
 778                               flags, 0, 0);
 779}
 780
 781static const struct bpf_func_proto bpf_get_stackid_proto_raw_tp = {
 782        .func           = bpf_get_stackid_raw_tp,
 783        .gpl_only       = true,
 784        .ret_type       = RET_INTEGER,
 785        .arg1_type      = ARG_PTR_TO_CTX,
 786        .arg2_type      = ARG_CONST_MAP_PTR,
 787        .arg3_type      = ARG_ANYTHING,
 788};
 789
 790static const struct bpf_func_proto *
 791raw_tp_prog_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
 792{
 793        switch (func_id) {
 794        case BPF_FUNC_perf_event_output:
 795                return &bpf_perf_event_output_proto_raw_tp;
 796        case BPF_FUNC_get_stackid:
 797                return &bpf_get_stackid_proto_raw_tp;
 798        default:
 799                return tracing_func_proto(func_id, prog);
 800        }
 801}
 802
 803static bool raw_tp_prog_is_valid_access(int off, int size,
 804                                        enum bpf_access_type type,
 805                                        const struct bpf_prog *prog,
 806                                        struct bpf_insn_access_aux *info)
 807{
 808        /* largest tracepoint in the kernel has 12 args */
 809        if (off < 0 || off >= sizeof(__u64) * 12)
 810                return false;
 811        if (type != BPF_READ)
 812                return false;
 813        if (off % size != 0)
 814                return false;
 815        return true;
 816}
 817
 818const struct bpf_verifier_ops raw_tracepoint_verifier_ops = {
 819        .get_func_proto  = raw_tp_prog_func_proto,
 820        .is_valid_access = raw_tp_prog_is_valid_access,
 821};
 822
 823const struct bpf_prog_ops raw_tracepoint_prog_ops = {
 824};
 825
 826static bool pe_prog_is_valid_access(int off, int size, enum bpf_access_type type,
 827                                    const struct bpf_prog *prog,
 828                                    struct bpf_insn_access_aux *info)
 829{
 830        const int size_u64 = sizeof(u64);
 831
 832        if (off < 0 || off >= sizeof(struct bpf_perf_event_data))
 833                return false;
 834        if (type != BPF_READ)
 835                return false;
 836        if (off % size != 0)
 837                return false;
 838
 839        switch (off) {
 840        case bpf_ctx_range(struct bpf_perf_event_data, sample_period):
 841                bpf_ctx_record_field_size(info, size_u64);
 842                if (!bpf_ctx_narrow_access_ok(off, size, size_u64))
 843                        return false;
 844                break;
 845        case bpf_ctx_range(struct bpf_perf_event_data, addr):
 846                bpf_ctx_record_field_size(info, size_u64);
 847                if (!bpf_ctx_narrow_access_ok(off, size, size_u64))
 848                        return false;
 849                break;
 850        default:
 851                if (size != sizeof(long))
 852                        return false;
 853        }
 854
 855        return true;
 856}
 857
 858static u32 pe_prog_convert_ctx_access(enum bpf_access_type type,
 859                                      const struct bpf_insn *si,
 860                                      struct bpf_insn *insn_buf,
 861                                      struct bpf_prog *prog, u32 *target_size)
 862{
 863        struct bpf_insn *insn = insn_buf;
 864
 865        switch (si->off) {
 866        case offsetof(struct bpf_perf_event_data, sample_period):
 867                *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct bpf_perf_event_data_kern,
 868                                                       data), si->dst_reg, si->src_reg,
 869                                      offsetof(struct bpf_perf_event_data_kern, data));
 870                *insn++ = BPF_LDX_MEM(BPF_DW, si->dst_reg, si->dst_reg,
 871                                      bpf_target_off(struct perf_sample_data, period, 8,
 872                                                     target_size));
 873                break;
 874        case offsetof(struct bpf_perf_event_data, addr):
 875                *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct bpf_perf_event_data_kern,
 876                                                       data), si->dst_reg, si->src_reg,
 877                                      offsetof(struct bpf_perf_event_data_kern, data));
 878                *insn++ = BPF_LDX_MEM(BPF_DW, si->dst_reg, si->dst_reg,
 879                                      bpf_target_off(struct perf_sample_data, addr, 8,
 880                                                     target_size));
 881                break;
 882        default:
 883                *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct bpf_perf_event_data_kern,
 884                                                       regs), si->dst_reg, si->src_reg,
 885                                      offsetof(struct bpf_perf_event_data_kern, regs));
 886                *insn++ = BPF_LDX_MEM(BPF_SIZEOF(long), si->dst_reg, si->dst_reg,
 887                                      si->off);
 888                break;
 889        }
 890
 891        return insn - insn_buf;
 892}
 893
 894const struct bpf_verifier_ops perf_event_verifier_ops = {
 895        .get_func_proto         = pe_prog_func_proto,
 896        .is_valid_access        = pe_prog_is_valid_access,
 897        .convert_ctx_access     = pe_prog_convert_ctx_access,
 898};
 899
 900const struct bpf_prog_ops perf_event_prog_ops = {
 901};
 902
 903static DEFINE_MUTEX(bpf_event_mutex);
 904
 905#define BPF_TRACE_MAX_PROGS 64
 906
 907int perf_event_attach_bpf_prog(struct perf_event *event,
 908                               struct bpf_prog *prog)
 909{
 910        struct bpf_prog_array __rcu *old_array;
 911        struct bpf_prog_array *new_array;
 912        int ret = -EEXIST;
 913
 914        /*
 915         * Kprobe override only works if they are on the function entry,
 916         * and only if they are on the opt-in list.
 917         */
 918        if (prog->kprobe_override &&
 919            (!trace_kprobe_on_func_entry(event->tp_event) ||
 920             !trace_kprobe_error_injectable(event->tp_event)))
 921                return -EINVAL;
 922
 923        mutex_lock(&bpf_event_mutex);
 924
 925        if (event->prog)
 926                goto unlock;
 927
 928        old_array = event->tp_event->prog_array;
 929        if (old_array &&
 930            bpf_prog_array_length(old_array) >= BPF_TRACE_MAX_PROGS) {
 931                ret = -E2BIG;
 932                goto unlock;
 933        }
 934
 935        ret = bpf_prog_array_copy(old_array, NULL, prog, &new_array);
 936        if (ret < 0)
 937                goto unlock;
 938
 939        /* set the new array to event->tp_event and set event->prog */
 940        event->prog = prog;
 941        rcu_assign_pointer(event->tp_event->prog_array, new_array);
 942        bpf_prog_array_free(old_array);
 943
 944unlock:
 945        mutex_unlock(&bpf_event_mutex);
 946        return ret;
 947}
 948
 949void perf_event_detach_bpf_prog(struct perf_event *event)
 950{
 951        struct bpf_prog_array __rcu *old_array;
 952        struct bpf_prog_array *new_array;
 953        int ret;
 954
 955        mutex_lock(&bpf_event_mutex);
 956
 957        if (!event->prog)
 958                goto unlock;
 959
 960        old_array = event->tp_event->prog_array;
 961        ret = bpf_prog_array_copy(old_array, event->prog, NULL, &new_array);
 962        if (ret < 0) {
 963                bpf_prog_array_delete_safe(old_array, event->prog);
 964        } else {
 965                rcu_assign_pointer(event->tp_event->prog_array, new_array);
 966                bpf_prog_array_free(old_array);
 967        }
 968
 969        bpf_prog_put(event->prog);
 970        event->prog = NULL;
 971
 972unlock:
 973        mutex_unlock(&bpf_event_mutex);
 974}
 975
 976int perf_event_query_prog_array(struct perf_event *event, void __user *info)
 977{
 978        struct perf_event_query_bpf __user *uquery = info;
 979        struct perf_event_query_bpf query = {};
 980        u32 *ids, prog_cnt, ids_len;
 981        int ret;
 982
 983        if (!capable(CAP_SYS_ADMIN))
 984                return -EPERM;
 985        if (event->attr.type != PERF_TYPE_TRACEPOINT)
 986                return -EINVAL;
 987        if (copy_from_user(&query, uquery, sizeof(query)))
 988                return -EFAULT;
 989
 990        ids_len = query.ids_len;
 991        if (ids_len > BPF_TRACE_MAX_PROGS)
 992                return -E2BIG;
 993        ids = kcalloc(ids_len, sizeof(u32), GFP_USER | __GFP_NOWARN);
 994        if (!ids)
 995                return -ENOMEM;
 996        /*
 997         * The above kcalloc returns ZERO_SIZE_PTR when ids_len = 0, which
 998         * is required when user only wants to check for uquery->prog_cnt.
 999         * There is no need to check for it since the case is handled
1000         * gracefully in bpf_prog_array_copy_info.

1001         */
1002
1003        mutex_lock(&bpf_event_mutex);
1004        ret = bpf_prog_array_copy_info(event->tp_event->prog_array,
1005                                       ids,
1006                                       ids_len,
1007                                       &prog_cnt);
1008        mutex_unlock(&bpf_event_mutex);
1009
1010        if (copy_to_user(&uquery->prog_cnt, &prog_cnt, sizeof(prog_cnt)) ||
1011            copy_to_user(uquery->ids, ids, ids_len * sizeof(u32)))
1012                ret = -EFAULT;
1013
1014        kfree(ids);
1015        return ret;
1016}
1017
1018extern struct bpf_raw_event_map __start__bpf_raw_tp[];
1019extern struct bpf_raw_event_map __stop__bpf_raw_tp[];
1020
1021struct bpf_raw_event_map *bpf_find_raw_tracepoint(const char *name)
1022{
1023        struct bpf_raw_event_map *btp = __start__bpf_raw_tp;
1024
1025        for (; btp < __stop__bpf_raw_tp; btp++) {
1026                if (!strcmp(btp->tp->name, name))
1027                        return btp;
1028        }
1029        return NULL;
1030}
1031
1032static __always_inline
1033void __bpf_trace_run(struct bpf_prog *prog, u64 *args)
1034{
1035        rcu_read_lock();
1036        preempt_disable();
1037        (void) BPF_PROG_RUN(prog, args);
1038        preempt_enable();
1039        rcu_read_unlock();
1040}
1041
1042#define UNPACK(...)                     __VA_ARGS__
1043#define REPEAT_1(FN, DL, X, ...)        FN(X)
1044#define REPEAT_2(FN, DL, X, ...)        FN(X) UNPACK DL REPEAT_1(FN, DL, __VA_ARGS__)
1045#define REPEAT_3(FN, DL, X, ...)        FN(X) UNPACK DL REPEAT_2(FN, DL, __VA_ARGS__)
1046#define REPEAT_4(FN, DL, X, ...)        FN(X) UNPACK DL REPEAT_3(FN, DL, __VA_ARGS__)
1047#define REPEAT_5(FN, DL, X, ...)        FN(X) UNPACK DL REPEAT_4(FN, DL, __VA_ARGS__)
1048#define REPEAT_6(FN, DL, X, ...)        FN(X) UNPACK DL REPEAT_5(FN, DL, __VA_ARGS__)
1049#define REPEAT_7(FN, DL, X, ...)        FN(X) UNPACK DL REPEAT_6(FN, DL, __VA_ARGS__)
1050#define REPEAT_8(FN, DL, X, ...)        FN(X) UNPACK DL REPEAT_7(FN, DL, __VA_ARGS__)
1051#define REPEAT_9(FN, DL, X, ...)        FN(X) UNPACK DL REPEAT_8(FN, DL, __VA_ARGS__)
1052#define REPEAT_10(FN, DL, X, ...)       FN(X) UNPACK DL REPEAT_9(FN, DL, __VA_ARGS__)
1053#define REPEAT_11(FN, DL, X, ...)       FN(X) UNPACK DL REPEAT_10(FN, DL, __VA_ARGS__)
1054#define REPEAT_12(FN, DL, X, ...)       FN(X) UNPACK DL REPEAT_11(FN, DL, __VA_ARGS__)
1055#define REPEAT(X, FN, DL, ...)          REPEAT_##X(FN, DL, __VA_ARGS__)
1056
1057#define SARG(X)         u64 arg##X
1058#define COPY(X)         args[X] = arg##X
1059
1060#define __DL_COM        (,)
1061#define __DL_SEM        (;)
1062
1063#define __SEQ_0_11      0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11
1064
1065#define BPF_TRACE_DEFN_x(x)                                             \
1066        void bpf_trace_run##x(struct bpf_prog *prog,                    \
1067                              REPEAT(x, SARG, __DL_COM, __SEQ_0_11))    \
1068        {                                                               \
1069                u64 args[x];                                            \
1070                REPEAT(x, COPY, __DL_SEM, __SEQ_0_11);                  \
1071                __bpf_trace_run(prog, args);                            \
1072        }                                                               \
1073        EXPORT_SYMBOL_GPL(bpf_trace_run##x)
1074BPF_TRACE_DEFN_x(1);
1075BPF_TRACE_DEFN_x(2);
1076BPF_TRACE_DEFN_x(3);
1077BPF_TRACE_DEFN_x(4);
1078BPF_TRACE_DEFN_x(5);
1079BPF_TRACE_DEFN_x(6);
1080BPF_TRACE_DEFN_x(7);
1081BPF_TRACE_DEFN_x(8);
1082BPF_TRACE_DEFN_x(9);
1083BPF_TRACE_DEFN_x(10);
1084BPF_TRACE_DEFN_x(11);
1085BPF_TRACE_DEFN_x(12);
1086
1087static int __bpf_probe_register(struct bpf_raw_event_map *btp, struct bpf_prog *prog)
1088{
1089        struct tracepoint *tp = btp->tp;
1090
1091        /*
1092         * check that program doesn't access arguments beyond what's
1093         * available in this tracepoint
1094         */
1095        if (prog->aux->max_ctx_offset > btp->num_args * sizeof(u64))
1096                return -EINVAL;
1097
1098        return tracepoint_probe_register(tp, (void *)btp->bpf_func, prog);
1099}
1100
1101int bpf_probe_register(struct bpf_raw_event_map *btp, struct bpf_prog *prog)
1102{
1103        int err;
1104
1105        mutex_lock(&bpf_event_mutex);
1106        err = __bpf_probe_register(btp, prog);
1107        mutex_unlock(&bpf_event_mutex);
1108        return err;
1109}
1110
1111int bpf_probe_unregister(struct bpf_raw_event_map *btp, struct bpf_prog *prog)
1112{
1113        int err;
1114
1115        mutex_lock(&bpf_event_mutex);
1116        err = tracepoint_probe_unregister(btp->tp, (void *)btp->bpf_func, prog);
1117        mutex_unlock(&bpf_event_mutex);
1118        return err;
1119}
1120